[Zope] Re: Re: major problems placing authentication on
an extranet site-security flaw?
Chris Withers
chris at simplistix.co.uk
Wed Feb 15 12:44:08 EST 2006
michael nt milne wrote:
> Chris, back to throwing personal insults eh.
It's not so much an insult as a statement of fact. Retarded means
"slower", and given how slow you seem to be to "get" the stuff we're
discussing, I think the shoe fits. Not necessarily meant as an insult,
but if you want to take it as such, so be it...
> refrain from 'gratuitous insults'. That's just going to turn people
> away and harm the cause of Zope.
Some people this community could do without. I have no doubt that you'd
argue that I am one of those people. I, of course, feel the same about
you ;-)
>>> I hope you're making sure the "secure" bit is set on those cookies ;-)
>
> I take it this is a joke.
Okay, so you don't want to bother reading specs eithers. Great. Go read
up on the cookie spec, find out what the secure bit of a cookie does...
> Plone uses cookie authentication by default.
And Plohn is hideously insecure by default, what's your point?
> You can't log in with out that.
Sure you can, chuck ?disable_cookie_auth__=1 on the end of a url that's
not anonymously accessible...
> There are security risks there but
> good user education with a strong password policy, no use of 'save
> password' facilities and SSL is a start at least.
Good luck, you're gonna need it...
>>> Considering you can't even quote a response correctly, I somehow doubt
> that..
>
> Oh come on.
What? You're mail client put >>> in front of your previous post, which
is faulty for the majority of mail clients used by people on this list.
Fix it.
>> Fine, don't take our advice, but don't expect help either.
>
> What because I don't take all your advice? That's a bit elitist and
> also not good for growing the user base of Zope.
You don't take anyone's advice on this list without bitching and whining
about it...
> And to finish on my problem with IE over SSL, I'll be implementing the
> help found here. It's recognised that there are problems and bugs in
> IE over SSL:
Your problem will undoubtedly be that access_rule put in by the Plohn
installer. Remove it, and I'll bet your problems go away. But hey, what
do I know?
> MSIE versions. You can work around these problems by forcing Apache
> not to use HTTP/1.1, keep-alive connections or send the SSL close
> notify messages to MSIE clients. This can be done by using the
> following directive in your SSL-aware virtual host section
So, have you actually followed this advice? What difference has it made?
*sigh*
Chris
--
Simplistix - Content Management, Zope & Python Consulting
- http://www.simplistix.co.uk
More information about the Zope
mailing list